Cloud security gateway startup Adallom discovered an unusual variant of the Zeus Trojan that it said can crawl and steal Salesforce.com data once it has successfully infected a victim's computer.

The company said it detected unusual activity on a customer's Salesforce.com account, which led to the discovery of an infection on an employee's home PC. Adallom's service detected a single user performing hundreds of view operations in a short period of time, triggering an alert to the customer's IT team. Investigators discovered the Zeus malware on a PC running Microsoft Windows XP with no antivirus software, Adallom said.

The notorious Zeus banking malware is known for targeting online account credentials to drain user bank accounts. This marks the first time the Zeus variant has been detected harvesting data from a Salesforce.com account, said Ami Luttwak, co-founder and CTO of Israel-based Adallom.

"Zeus was one of the first Trojans that built botnets for financial crimes, but this time we saw Zeus turned against Salesforce," Luttwak said.

Luttwak told CRN that the malware it discovered does not target a vulnerability in Salesforce.com. Instead, it takes advantage of the trust relationship that is legitimately established once the user has authenticated to the service using a device. The home PC that was examined by incident responders had a variety of malware installed on it, Luttwak said.

"We saw that Zeus was attempting to download the Salesforce data to a local drive," Luttwak said. "From a company security perspective, there was no way of learning what was done on this device or no way to tell what devices were accessing their cloud services."

Adallom has detected other kinds of malicious software that can crawl and harvest Salesforce.com data. That software is typically used by account executives, and the malicious software seeks to reap as many contacts as possible before moving on to another job, Luttwak said. The firm alerts on the "Rolodexing" practice by default.

Adallom, which came out of stealth last November, is a new breed of emerging security vendor using a proxy service to monitor SaaS accounts used by employees to validate activity on the accounts. The company competes with a variety of other vendors that provide authentication, encryption and other features to improve the security, privacy and transparency of cloud-based services used by employees. The latest vendor to come out of stealth mode is Elastica, a San Jose, Calif.-based company that sells a platform designed to audit cloud services, detect threats and gain visibility into corporate users' cloud services usage.

Solution providers tell CRN that the Zeus Trojan is one of a number of common malware families used by financially motivated cybercriminals in automated attack toolkits. The malware is so ubiquitous that it typically can be caught by standard antivirus software. Rather than attempting to remove an infection, security vendor partners that provide managed services say they typically wipe infected machines and then reimage them with backup and recovery software.